1. Field of Invention
The present invention relates to wireless networking, and more particularly, to an authentication and secure communication system for a Wi-Fi (IEEE 802.11) network.
2. Description of Related Art
A Wireless Local Area Network (WLAN) is generally implemented to provide local connectivity between a wired network and a mobile computing device. In a typical wireless network, all of the computing devices within the network broadcast their information to one another using radio frequency (RF) communications. WLANs are based on the Institute of Electrical and Electronic Engineers (WEE) 802.11 standard, which designates a wireless-Ethernet specification using a variety of modulation techniques at frequencies generally in the 2.4 gigahertz (GHz) and 5 GHz license-free frequency bands.
The IEEE 802.11 standard (“Wi-Fi”), the disclosure of which is incorporated herein in its entirety by reference, enables wireless communications with throughput rates up to 54 Mbps. Wi-Fi (for “wireless fidelity”) is essentially a seal of approval certifying that a manufacturer's product is compliant with IEEE 802.11. For example, equipment carrying the “Wi-Fi” logo is certified to be interoperable with other Wi-Fi certified equipment. There are Wi-Fi compatible PC cards that operate in peer-to-peer mode, but Wi-Fi usually incorporates at least one access point, or edge device. Most access points have an integrated Ethernet controller to connect to an existing wired-Ethernet network. A Wi-Fi wireless transceiver connects users via the access point to the rest of the LAN. The majority of Wi-Fi wireless transceivers available are in Personal Computer Memory Card International Association (PCMCIA) card form, particularly for laptop, palmtop, and other portable computers, however Wi-Fi transceivers can be implemented through an Industry Standard Architecture (ISA) slot or Peripheral Component Interconnect (PCI) slot in a desktop computer, a Universal Serial Bus (USB), or can be fully integrated within a handheld device.
FIG. 1 illustrates a typical conventional Wi-Fi network 100. Particularly, Wi-Fi network 100 comprises a number (N) of computing devices 110A-N and an access point 120. Each computing device 110 comprises a Wi-Fi transceiver (not shown) such as a Wi-Fi enabled network interface card (NIC) to communicate with the access point via an RF communications link 115. The access point 120 comprises a Wi-Fi transceiver (not shown) to communicate with a wired network via an RF communications link 125.
Authentication and security features offered by Wi-Fi products to date have been implemented via Wired Equivalency Protocol (WEP). With WEP enabled, an access point will not admit anyone onto the LAN without the proper WEP settings. The WEP settings are used primarily for wireless security, but they also form the basis for authentication in that without these settings known to and used by the user, the user cannot connect through the access point. WEP comes in 40-bit or 128-bit forms. The 40-bit version is actually a 40-bit key plus a 24 bit Initialization Vector (“IV”), whereas the 128-bit version is really a 104-bit plus the 24-bit IV. WEP utilizes a RC4 stream cipher. This stream cipher works by using the WEP key and the IV to seed a pseudo-random number generator (“PRNG”), which generates a keystream equal in length to the text it is encrypting plus the IV. The text and keystream are XOR'd together to produce the encrypted data. Prepended to the encrypted data is the IV so that the receiving side can seed its PRNG to XOR the encrypted text with the same keystream to recover the original text.
Unfortunately, the mere presence of the plain text IV prepended to the encrypted text enables one to easily attack WEP. In a WEP attack, since the IV is known, i.e., transmitted as plain text, and the first byte of the encrypted text is known, the first byte of the keystream can be immediately derived. Since a standard WEP key has a first byte that is constrained to values between three (3) and seven (7), and the second byte must be 0xFF, all that is necessary is a large sample of data to quickly, e.g., less than 15 minutes, recover the original key. Since the IV is only 24-bits, there can only be approximately 17 million distinct values. In a typical system, the IV repeats often over a twenty-four (24) hour period. Exploiting this repetition and the weak IVs makes it very easy to crack WEP.
To counter this problem, a number of solutions have emerged that attempt to fix the problem by developing external fixes to the issues of authentication and security. The typical fix involves a “VPN-like” solution. The solution takes the form of software added to the client-side that encrypts/decrypts data outside of the Wi-Fi card, typically on the user's PC. On the network side of the access point, a server performs the similar function of encryption/decryption. A secure tunnel is formed between the client and the server using the access point only as a conduit between the two ends. Unfortunately, this does not prevent unauthorized users from associating with or using the LAN as the WEP keys can still be easily compromised.
To solve the above problem, others have developed network appliances that force all access points to be directly connected to an appliance box, which is typically a rack-mounted box that performs a specific bunch of functions on the network. For example, an appliance box is a router or an Ethernet switch, or a web-server or virtual private network (VPN) gateway box. Boxes like BlueSocket's WG-1000 Wireless Gateway™ provide a separate authentication/security server that segregates wireless traffic from the rest of the network. In a sense, a separate LAN is provided, to which all of the access points must connect and then their traffic is directed into their gateway before it is allowed to go onto the LAN.
Of particular interest is the Port Based Network Access Control WEE 802.1x solution, which is being adopted by numerous parties and has built-in support in Windows XP™. WEE 802.1x is a LAN-based specification that has been modified for use in wireless networks. Particularly, a separate authentication server is used to authenticate users who attempt to connect onto the LAN. When a user, i.e., client, first associates with the access point, the access point forwards the authentication request to the authentication server, which in turn then communicates back through the access point to the client. This back-and-forth process using the access point as a proxy continues until an authentication algorithm is mutually agreed and a successful authentication takes place. 802.1x unfortunately does not specify the authentication method nor does it provide any ‘hand-off’ of information between two access points. Thus, in actual practice two fully-compliant 802.1x-enabled access points may not handle a user the same way on the same network. To use 802.1x technology, legacy access points are generally replaced with new units that support 802.1x.
There are many others that are developing complementary solutions for Wi-Fi networks. Most, however, offer complex solutions geared towards large-scale networks with 200 or more users. These systems are vendor-specific, expensive, complex to install, require ongoing IT support and maintenance, and may not work with legacy Wi-Fi equipment.